Password Best Practices and Standards

Overview

Protect Your Password

Your University Computing Account username and password are your key to accessing a wide range of resources at Pitt. For faculty and staff, these resources include sensitive information such as your Pitt Worx pay statements, benefits open enrollment, TIAA-CREF retirement account details, and UPMC health plan information. In addition, your University Computing Account has access to other data that is regulated by the Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley (GLB) Act. You should never share your password with anyone, for any reason. By protecting your password, you also protect the important resources and data to which your password grants you access.

Detail

Pitt Information Technology uses a robust array of sophisticated security tools to protect University information. However, everyone affiliated with Pitt shares in the critical responsibility of protecting the University’s computing environment. It is against University policy 10-02-05, University policy 10-02-06, and security best practices to share your username and password with anyone. If you need to delegate responsibility for password-protected functions to another person, please call the Technology Help Desk at 412-624-HELP (4357) to request assistance. Most of our enterprise services support this type of delegation.

Keep in mind these important password tips:

Create a strong password that combines eight to 14 letters, numbers, and special characters – in general, the longer the better!
Be sure to log out when you have finished using the My Pitt website or other computing resources that require you to log in with your password. It is also recommended that you close all browser windows and completely exit your web browser program when you have finished using the service.
Change your password regularly. Students, faculty, and staff are required to change their University Computing Account password at least every 180 days.
Remember that no one from any reputable organization, including the University of Pittsburgh, will ever ask you to divulge your password over the phone or in an email. If you are asked for your password in an email or over the phone, this is usually a sure sign of a phishing scam.
Scan your computer regularly with Antivirus since some viruses and spyware programs can collect and transmit your account information. Learn more...
If you have not already done so, set your Password Security Questions at the Accounts Self-Service page.

The following table illustrates the time it would take a hacker to brute-force crack your password for different types of characters as well as character count:

**Time It Takes A Hacker To Brute Force Your Password**
Number of Characters	Numbers Only	Lowercase Letters	Upper and Lowercase Letters	Numbers, Upper and Lowercase Letters	Numbers, Upper and Lowercase Letters, Symbols
4	Instantly	Instantly	3 secs	6 secs	9 secs
5	Instantly	4 secs	2 mins	6 mins	10 mins
6	Instantly	2 mins	2 hours	6 hours	12 hours
7	4 secs	50 mins	4 days	2 weeks	1 month
8	37 secs	22 hours	8 months	3 years	7 years
9	6 mins	3 weeks	33 years	161 years	479 years
10	1 hour	2 years	1k years	9k years	33k years
11	10 hours	44 years	89k years	618k years	2m years
12	4 days	1k years	4m years	38m years	164m years
13	1 month	29k years	241m years	2bn years	11bn years
14	1 year	766k years	12bn years	147bn years	805bn years
15	12 years	19m years	652bn years	9tn years	56tn years
16	119 years	517m years	33tn years	566tn years	3qd years
17	1k years	13bn years	1qd years	35qd years	276qd years
18	11k years	350bn years	91qd years	2qn years	19qn years
View the original image from which this table was created at Hive Systems. Data sourced from HowSecureismyPassword.net.

Additional Password Information

All University students, faculty, and staff are required to change their University Computing Account password twice per year via the Accounts Self-Service page.

This important requirement enhances security and helps protect your data. It is one part of a larger, layered security strategy. Multiple security measures protect against hackers, phishing scams, malicious software, and myriad other threats to the University's computing environment.

Here is how the process works. You will be required to change your University Computing Account password at least once every 180 days. As you approach the 180 day limit for your current password, you will see Password Update and Security Questions windows. They will appear each time you log in to My Pitt, indicating how many days you have remaining to change your password. This information must be updated as requested by following the instructions on each page, or you could potentially be unable to access select services until this information is complete. The password cannot be re-used within a year, and you cannot reuse any of your previous six passwords.

Related Information

Additional Instructions

Frequently Asked Questions

Why am I required to change my password?

Your University Computing Account gives you access to many computing services at Pitt, including email, the Learning Management System (Canvas), and My Pitt. These systems may contain personal and sensitive information about you. Increasingly, malicious software and other methods such as "phishing" are being used to try to obtain your password. If someone acquires your password, they will gain unauthorized access to your computing account and University resources. Periodic password changes will help to safeguard your account.

How does the password change wizard work?

When you click the link in the yellow notification box, you will be asked to complete the following steps:

Review your Emergency Notification Service (ENS) contact details and modify them if necessary.
Review and, if necessary, modify your emergency contact information (students only).
Review the three security questions you can use to reset your password online if you forget it. If you have never set your security questions, you will be required to do so before proceeding.
Change your password.

Do I have to wait for the notification message to display before I can change my password?

No. You can change your password at any time. Log in to the Accounts Self-Service page to manage your password and security questions.

Keep in mind that if you change your password today, you can avoid seeing the notification message for another 180 days.

How do I pick a strong password?

The following requirements have been put in place to help you choose strong password:

Your new password must be eight to 14 characters long
Your new password must consist of some combination of letters and numbers and must also contain at least one special character (for example, +, @, #, or $)
The following special characters can NOT be used: _ ` < > & ! . ,
You cannot use your name, username, or any portion of these as your password
You cannot reuse the same password within a year, and you cannot reuse any of your previous six passwords

In addition, keep in mind that passwords that contain only letters and dictionary words are easier for someone to guess or for computer programs to decipher.

Tips for creating a strong password (video) >

How can I keep track of my different passwords?

Try a password manager like Pitt Password Manager (LastPass). Pitt Password Manager makes it easy to generate strong, unique passwords for every service you use, helping to protect your Pitt-related services, as well as your personal services.

It's important to use different passwords for your digital accounts. Your University Computing Account password, online banking passwords, and social media passwords should all be different. With so many passwords, it can be easy to forget them or mix them up along the way. Pitt Password Manager simplifies your online life by saving your passwords in a secure vault that you can access from any device, using a single, strong master password. You no longer have to remember unique passwords for every site you visit. Pitt Password Manager remembers them for you.

Business accounts are recommended for storing and sharing your University-related passwords and information. Premium accounts are recommended for storing your personal passwords and information. You can link your Premium account to your Business account so that you can easily manage all of your passwords from one convenient interface.

What happens if I do not change my password before it expires?

If you do not change your password before that password expires, when you log in to My Pitt you will only see the password change wizard. As soon as you change your password, you will be able to use My Pitt normally again.

I'm having difficulty connecting to my email and to the network from my mobile phone after changing my password. What should I do?

It is possible that your phone has stored your previous password locally. You will need to update the old password that is stored on your phone so that it matches your new University Computing Account password.

I'm having difficulty connecting to PittNet Wi-Fi after changing my password. What should I do?

If you have difficulty connecting to PittNet Wi-Fi after changing your password, please follow the standard connection instructions. If you still cannot connect to PittNet Wi-Fi, contact the Technology Help Desk at 412-624-HELP (4357).

Will people with sponsored accounts be required to change their password every 180 days?

Yes. Anyone with a sponsored account will also be required to change his or her password at My Pitt every 180 days. Those with sponsored accounts will not be prompted to enter ENS information during the password change wizard.

It is strongly suggested that you change your password as soon as you receive your University Computing Account. You can do this at the Accounts Self-Service page.

Your new password:

Should consist of some combination of letters and numbers, and must include at least one special character (for example, +, @, #, or $)
Should not use your name, your username, or a portion of these
You cannot reuse the same password within a year, and you cannot reuse any of your previous six passwords

Setting Your Security Questions

If you haven't already done so, be sure to select the three security questions and answers. They will be used to confirm your identity in the event you forget your password.

Log in to the Accounts Self-Service page.
Change your password under the "Login & Security" tab.
Update your security questions under the same "Login & Security" tab (under the "Update Security Questions" secondary tab).

Once you have set your security questions, you do not need to change them the next time that you change your password.

Note: To enhance security and protect data, students will be required to change their University Computing Account password twice per year at the Accounts Self-Service page. A prompt will appear on My Pitt when it is time for you to change your password.

If you have difficulty connecting to PittNet Wi-Fi after changing your password, please follow the standard connection instructions.

Reset Your Password if You Forget It

Students, faculty, and staff who forget their University Computing Account password can use the Self-Service Password Reset Service to reset their password online quickly and securely. You must select and answer three online security questions before you can use the Self-Service Password Reset Service. If you forget your password, you will be prompted to answer these security questions in order to verify your identity. If you forget your password and have not set your security questions, you will need to visit a Student Computing Lab to have your password reset.

There are several ways you can reset your password if you forget it

A. Reset Your Password–You Have Your Security Questions

Note: If you haven't already set your password security questions, you will need to use one of the methods below.

Click the Forgot password? link on the login page of My Pitt.
Enter your University Computing Account username and date of birth. Click Next.
Answer your three security questions and click Next.
Enter and confirm your new password, then click Submit.

Your password has been successfully reset.

B. Reset Your Password–You Do Not Have Your Security Questions

Contact the Technology Help Desk by submitting an online request or calling 412-624-HELP (4357). The Technology Help Desk will ask specific questions to confirm your identity and will give you a new password over the phone only if you can answer these questions.
or
Pittsburgh campus only: Stop at a Student Computing Lab with a government-issued ID, such as a driver's license or passport. The lab monitor will verify your identity and call the Technology Help Desk at 412-624-HELP (4357), which will give you a new password over the phone.

Important Notes about Resetting Your Password

If you call the Technology Help Desk, then your password will only be given to you by phone. It will not be sent by any electronic means (for example, email, instant message, or text message).
After your password has been reset, you should immediately change it. Access the "Login & Security" section of the Accounts Self-Service page using your University Computing Account username and the password.
Once logged in, follow the instructions on the page to manage your password and security questions. You will be prompted to select and answer three password security questions that will enable you to reset your password online.

Resetting Passwords for Sponsored Accounts

If you have a sponsored account, you must ask your Responsibility Center Account Administrator or the account sponsor to contact the Technology Help Desk on your behalf. The Technology Help Desk will ask specific questions to verify the identity of the Responsibility Center Account Administrator or account sponsor. Then they will provide a new password to them over the phone. The Responsibility Center Account Administrator or account sponsor will then distribute the new password to you.

0 reviews

Print Article